03/12/99 

• 

ALL IlFOm-IATIOl COFTAIl-IED 

HEEEIH IS IWCLASSIFIED 

DATE 07-03-2012 BY 60324/UC/baw/3ab/aio 

ICMIPROl 

10:03:41 


FD-192 

Page 1 


Title and Character of Case: 

AIR FORCE INSTITUTE OF TECHNOLGY 
MOONLIGHT MAZE 


Date Property Acquired: ^ 
02/08/1999 


Barcode: E1394242 


Location: BGRAUl 


Case Number: 288-CI-68562 - |6(9 
Ovming Office: SAN ANTONIO 


/69 










10/11/98 ™ 

10:10:34 


Title and Character of Case: 

AIR FORCE INSTITUTE OF TECHNOLGY 


DECLASSIFIED : 
OH 07-03-2012 


i0324/UC/bai.j/saJD/ai( 


FD-1^ 


ICMIPROl 
Page 1 


Date Property Acquired: 
09/25/1998 


Anticipated Disposition: 


Description of Property: 
ID 1 


CHARLESTON IL 




ich Property Acquired 
lU 


Case Acrent 



Date Entered 


TAPE #14058 

1 8MM SONY DATA CARTRIDGE 
VOLUNTEERED 


Barcode: E1474422 


Location: ELSURl 


CAB4 


10/11/1998 




Case Number. 
Owning Office: 


288-Cl-68562 ~ Ih \ 

SPRINGFIELD ^ 




SEARCHED— 

serialized. 


QDEXEO. 

JBbED-^ 


OCT 111998 

FBI -SPRINGFIELD 











021 ^ 1/99 ^ 

12:03:13 


Title and Character of Case; 


ALL INFOMIATION COHTAIIIED 
HEREII IS OTCLA3SIFIED 

DATE 07-03-2012 BY S0324/IJC/l3aTir/3al)/aio 


FD-192 


ICMIPROl 
Page 1 


AIR FORCE INSTITUTE OF TECHNOLGY 
MOONLIGHT MAZE ' 


Date Property Acquired: 
03/12/1999 


Property Acquired 
PEN REGISTER 



Case Nutnber: 288-CI-68562- 
Owning Office: PHILADELPHIA 








JUL ir 'yb ic::ejbrn 
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ALL FBI IlFOm-aTIOl COHTAII-JED 

HERlIl IS III-ICLA33IFIED 

DATE 07”03™2012 BY 60324/UC/tiaw/3ab/ai 


I HI I \( s|\ii! 1- 

( ON KUSHKI. i 


IMU.CKDK.NCK 


ci.vssiFit An()\ 

— I "p S(**wrc! 

_ScuTci 

_Scnsiiivt' 

r.cici.xsJicki 


TinK' Trai\s;rniiL*d _ 

Sender*> liuiJdls _ 

Number ot Pu^cs_^ 

• ineludim! ov.L-rsheet < 


'T“o. 

Tql:Cl 
N' link-!■: ()"\l‘ 




'1 

(V:1i 
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^ FD-4;f8|(Rej^j 6*2;97) 


ALL IlFOPIlATIOl COIJTAIIIED 
HER! II 15 OTCL133IFIED 

DATE 07™03™2012 BY 60324/UC/baw/3ab/aio 



FBI FACSIMILE 
COVER SHEET 


PRECEDENCE 

n Immediate 
n Priority 
CH Routine 


1 lUlN 

n Top Secret 
Q Secret 

□ Confidential 

□ Sensitive 
n Unclassified 


Time Transmitted: 
Sender's Initials; 
Number of Pages: 




(including cover sheet) 




To: 


AjiPt. 

Name of Office 


Date: 



w/f^ 


Facsimile Number: I^ 


Attn: 


ua 

Name 


Room 




Telephone 


' ' ciTC ^ 




From: 


12 




S/ 


AJc^ ? 


flS' 




/v/i 


rffP 


Subject: G 

Name of Office 


o3P /9-F^B 



i/V^ 

a b6 

-',8^ :b7c 


Special Handling Instructions: 


Originator's Name: 





Telephone: 


Originator's Facsimile Number: 
Approved: _ 





Brief Description of Communication Faxed: 


WARNING 

Information attached to the cover sheet is U.S. Government Property. If you are not the intended recipient of this 
information, disclosure, reproduction, distribution, or use of this information is prohibited (18.USC, § 641). Please 
notify the originator or local FBI Office immediately to arrange for proper disposition. 



FD-801 (Rev. 7-15-97) 


ALL INFOKHATIOH COHTAIHED 
HEBEIIJ IS UHCLASSIFIED 

DATE 07-03-2012 ET 60324/UC/ba¥/sab./aic 


FEDERAL BUREAU OF INVESTIGATION 


Precedence; ROUTINE 


To: Director, FBI 


Date; 06/15/1998 

Attn; Computer Investigations 
Unit,CIOS, NIPC, 

Rm.11887 


From: SAC, Cincinnati 


Approved By: 


Drafted By: 


Case ID #: 288-CI-O 




Title: Subject: 

Victim: 
Type: 
Date: 


_DNSUB;_ 

_USAF-Cataloging and Standardization_ 
Intrustion 

’6/2/98_ 


SUBMISSION: X Initial □ Supplemental □ Closed 


CASE OPENED: 


/ / 




CASE CLOSED: 

□ No action due to state/local prosecution 

(Name/Number_ 

□ USA declination 

□ Referred to Another Federal Agency 

(Name/Number:_ 

□ Placed in unaddressed work 

□ Closed administratively 

□ Conviction 


COORDINATION: FBI Field Office _JP SJ\ _|iflbRA4 ———^ 

Government Agency AFOSI Detach ment 101 WPAFB, Dayton, OH_ 
Private Corporation'''''''''”'^ -_ 





Compai^il^e/Govemment agency: __USAF_ 

Addresylocation: Federal Center, Battle Creek, MI 



Purpose of S^temUj Dracula; e-mail; back up DNS 2)Hyde; Data_^e^erver_ 
Highest classification^lnfooiLation stored in svstem;--------Hn'elas^fied_ c 




lUC«uj>3.om 


- -- 


' SEARCHED.. 
SERIALIZED. 


JUN 1 71998 

- CINCIN'NAt/ 



To: Director, FBW From: SAC, 

Re: 288- , Date 


System Data: 

Hardware/configuration (CPU):_1) SunSpare20 2) SunSpare 1000_ 

Operating System:_Solaris 2.4_ 

Software:_E-mail exchanger; Unify_ 

Security Features: 

Security Software Installed: □ yes (identify_) X no 

Logon Warning Banner: Xyes □ no 

INTRUSION INFORMATION 

Access for intrusion: □ Internet connection □ dial-up number □ LAN (insider) 

If Internet: Internet address: I 

Network name: 


Method: 

Technique(s) used in intrusion:_(list provided) 

Path of intrusion: 


addresses: 1. 

2. 

3. 

4. 

5. 

country: 1,_ 

2. 

3. 

4. 

5. 

facility: 1._ 

2. 

3. 

4. 

5. 


Subject: 


Age: 

Race: 

Sex: 

Education: 


Alias(s):_Motive: 

Group AfBliation:_ 

Employer:_ 

Known Accomplices: _ 

Equipment used: 

Hardware/configuration (CPU):_ 

Operating System:_^_ 

Software:_ 

Impact: 

Compromise of classified information: □ yes X no 

Estimated number of computers affected:_2_ 

Estimated dollar loss to date: Unknown 



To: Director, FsW From: 

Re: 288- , Date 


SAC, 


Category of Crime: 

Impairment: 

□ Malicious code inserted 

□ Denial of service 

□ Destruction of information/software 

□ Modification of information/software 


Intrusion: 

X Unauthorized access Stat D 
□ Exceeding authorized access 


Theft of Information: 

□ Classified information compromised 

□ Unclassified information compromised 

□ Passwords obtained 

□ Computer processing time obtained 

□ Telephone services obtained 

□ Application software obtained 

□ Operating software obtained 


REMARKS 



(01/26/1998) 


Se)^!^T 

FEDERAL BUREAU OF INVESTIGATION 


ALL FBI IMFORMATIOII COHTAIMED 
HEPEIIJ IS UMCLAS3IFIED 

DATE 07-03-2012 BY 60324/lTC./baw/3ab/aio 


Precedence: ROUTINE Date: 08/10/1998 

To: National Security Attn: NIP C-CIU, Room 1 1887; 

ssaI I 


Prom: Cincinnati 



Title !(U1 ^ UNSUB (S) ; 

UNITED STATES AIR FORCE 
INSTITUTE OF TECHNOLOGY, 
TiarK-TT<rn aTTarir nyr. 


Synopsis: Preliminary information and case summary 

concerning captioned matter. 



matter. 


16 

:b7C 


.b7E 






tCL 









To: National Security From: Cincinnati 

Re:m 288-CI-68562, 08/10/1998 


telephone; 


Detect ive, UC Department of Police, 


_I S ystems Engineer, UC College of 

Engineering, telephone:! I 


On 08 /nfi /1 998 — S 22 J -1_ | Squad 4 

Supervisor, and Sa| _ case Agent, attended a 

meeting at WPAFB to discuss the mission and direction of 
captioned matter. 


Referral/Consult 


discussed: 


The following investigative steps/leads were 


1. NSD/NIPC will pursue the possibility of obtaining a 


■ 


Referral/Consult 






FD-759 (Rev? 5-25-95) 


ALL IHFOEIiATIOl COlITAIllD 
HEEEIN IS xbICLASSIFIED 

DATE 07-05-2012 BY 60324/UC/baw/salD/aio 


To: 

From: 

Title: 


Director, FBI ( 
Attn: ciD. 


) 

. Section 


% 


7/31/91 


SAC, 


tf 


HTiCKM iifmiOi <M 




Z- 

a? 


) 




For FBI Field Office use only 

m 

Bd for^^ 


O. 


Notification of SAC Authority Granted f6r^Jse of 
CONSENSUAL Monitorihg^|altipm^nt 
(Ch^ck only ONE) , / 

Q^Routine Use ;, ,, ^ 

□ Emergency Use-^ehsitiye/pirQumst^ces (cannot exceed 
30 days & majr^be e3^e^e^-j)^1^ bjr ^ 

t-17—* .j * 13 / 


:b7E 


if ^ jf 

This form must be typewritten & fujsrnme 
of the date authority is granted as shown 


within 10 working days 
5 below. 


1. Reason for Proposed Use: (Check) 

□ Corroborate ED Protect ED Protect ^Collect 

Testimony Consenting Government Evidence 

Party Property 

ED Other fSoeciM 

2. Type of Equipment: (Check) 

□ Transmitter/Receiver □ Concealed Recorder 

□ CCTV/Audio & Video □ CCTV Video only 

□ Microphone □ Telephone 

Ca other (Specify) S-!efe;esrlc iaoiiittOr 

3. Consentino Partv fidentifv ONLY on Field Office Copv^ 

& Nonconfidential Party 

ED Confidential Source 

ED Cooperative Witness 

4. Interceptee(s): (Include Title if Public Official) 

of Ciiiciosiati., Collo 0 a of 
Eri§iiiCorixig -& Soionce 

& others as yet unknown. 

5. Duration of proposed use: 

Authorized On: 

6. Equipment Concealed: 

□ In a Motel Rm. D In a Telephone 

□ In a Residence CD On a Person 

CD In a Vehicle 

r^thpr (SpRnify) 

7. City & state where Equipment will 
be used: C*f - 

For the duration of investigation 

D For 30 days (Emergency NTCM usage) 
Expirina On: 

Ohio 

m 

8. The following mandatory requirements have been met: 

K] Consenting party has agreed to testify; 

^ Consenting party has executed a consent form; & 

Si Recording/transmitting device will be activated 
only when consenting party is present. 

9. Government Attorney in judicial district where monitoring and/or 

recording will take place has been contacted; foresees no entrapment; 

& concurs in the use of the technique. y. 

Yes CD No Date of Contact: // 7 / / ^ 

-bo 1 

Identity of Gov't Atty: u-in 

■Judicial District: Mstrlct o£ C'Mo 

10. Violationfs^: Titlefsl Secfsi USC 


11, DOJ notification required □ Yes DEiNo. If "Yes" check reason below: 


NOTE: Requests for Routine NTCM usage involving any of the 7 sensitive circumstances requires a teletype to HQ'prepared in the format described in 
the MIOG, Part !1, Section 10-10.3 (8); Request for Emergency NTCM usage involving Item 6 below requires immediate contact with the FBIHQ 
substantive desk for DOJ approval. The 7 sensitive circumstances do not apply to the use of CCTV video only. 

1. O Interception relates to an investigation of a member of Congress: a Federal Judge; a member of the Executive Branch at Executive Level IV or 

above; or a person who has served in such capacity within the previous 2 years. 

2. □ Interception relates to an investigation of any public official and the offense investigated is one involving bribery; conflict of interest; or extortion 

relating to the performance of his/her official duties. 

3* □ interception relates to an investigation of a Federal law enforcement official. 

4. O Consenting/nonconsenting party is a member of the diplomatic corps of a foreign country. 

5. □ Consenting/nonconsenting party is or has been a member of the Witness Security Program and that fact is known to the agency involved or its 

officers. 

6. ED Consenting/nonconsenting party is in the custody of the Bureau of Prisons or the U.S. Marshais Service. 

7. ED Attorney General; Deputy Attorney General; Associate Attorney General; Assistant Attorney General for the Criminal Division; or the U.S. Attorney 

in the district where an investigation is being conducted has requested the investigating agency to obtain prior written consent for making a 
consensual interception in a specific investigation. 

12. Synopsis of Case: (Attach additional page if necessary) 

Picaac- a<so 



Field Approval 

14. CDC (If Sensitive Circumstances Exist) 

Signature _ _ 

13. Justification statement necessitating emergency authorization: 

□ Emergency 30 day authorization granted due to imminent need (within 

48 hours) for use of consensual monitoring device(s), which precluded 
the handling of this request in the usual manner. 

0 Other (Attach Additional Page to Specify) 

Sionature nate* 

FBIHQ Approval 

16. Unit Chief (If Sensitive Circumstances Exist) 

Sionature Hate* 

1-Government Attorney's Office 



COPY 4 







b. Governing .Statutes: 


(U) Title 18, United States Code (USC), Section 1030, Fraud and Related Activity in 
Connection with Computers 

MISSION: 

^ The primary mission of this operation will be to identify modus operandi, tradecraft 
and tools being utilized by this hacker. If possible, determine if the hacker is associated 
with a Foreign Intelligence Service and the extent of the FIS involvement and direction in 
his/her activity. If this is a FIS operation it would also provide extensive insight in to the 
conduct of FIS and their capabilities in attacking our information systems. Through these 
efforts we will identify the vulnerabilities which allowed this individual to gain access to 
the computer systems, thereby being able to anticipate and develop countermeasures to 
prevent this from taking place in the future. This would not o»ly apply to the 
AFIT/WPAFB systems but to computer systems throughout the Department of Defense. 

(U) A secondary objective of this investigation is to reduce, through prosecution, the 
hacking activities against military, commercial and private computer and network 





FD-759.(Rev. 5-25-95) 


To: 


Director, FBI { 

Attn: CID,_E[lSCi=s: 




ILL IlFOm-liTIOl COlTikll-IED 
.HEREIH IS IWCLASSIFIED 
‘DATE 07-05-2012 BY 60324/TJC/Baw'3aB“'/aio 

^ f 

u 


7/31/sc 


. Section 


From: SAC. CmCnmAlill 


Title: 


mjsoBCsj? 

BtSliF 

OF secojeologs: 

nw?.f»tr a?; ; 


.(2C0“CI~«0S62 





Notification of SAO’AutndrityKSrahted'for Use of 
CONSENSUAL Monitoring Equipment 

(Check only OI^E) AUb C ; f. i L 9 
C^Routine Use 

Q Emergency Us.e;Sejisitivp.pirc,umstences (cannot exceed 
30 days & maybb Extended dhtyby&BIHQ). 


:b7E 


i Ja\ i 


__ t -.— 

This form must typewritten & stjtir^itted within 10 working days 
of the date'khthorityis qranted as4h(!)wmn Item 5 below. 


Reason for Proposed Use: (Check) 

□ Corroborate □ Protect 

Testimony Consenting 

Party 

□ Other (Specify)_ 


□ Protect [^Collect 
Government Evidence 
Property 


Consenting Party (Identify ONLY on Field Office Copy) 
^ Nonconfidential Party 
D Confidential Source 
□ Cooperative Witness 


2 . 


Type of Equipment: (Check) 

□ Transmitter/Receiver D Concealed Recorder 

D CCTV/Audio & Video U CCTV Video only 

□ Microphone □Telephone 

(S Other (Specify) 


4. Interceptee(s): (Include Title if Public Official) 

state UBiversityf coilege o£ 
EjftgijLccriag & Cestmtes: Scleacsc 

& others as yet unknown. 


5. 


Duration of proposed use: 
Authorized On: 


EX For the duration of investigation 
O For 30 days (Emergency NTCM usage) 
Expiring On:_ 


6. Equipment Concealed: 

□ In a Motel Rm. □ In a Telephone 

□ In a Residence □ On a Person 

O in a Vehicle 

CJQther (Specify) — 


7. City & State where Equipment wil] 


Government Attorney in judicial district where monitoring and/or 
recording will take place has been contacted; foresees no entrapment; 
& concurs in the use of the technique. ^ i J r 
CXYes O No Date of Contact: _ 9 _f / 7 / V _ 


8. The following mandatory requirements have been met: 
E Consenting party has agreed to testify; 

53 Consenting party has executed a consent form; & 
(P Recording/transmitting device will be activated 
only when consenting party is present. 


10. Violatlon(s): Title(s)_ 


. Sec(s)_ 


1030 


.use 


9. 


Identity of Gov't Atty: l*IJSA | 

Judicial District: 


SEISMS 


b 6 I 
.:b7C 1 


11. DOJ notification required □ Yes QH^o. If "Yes" check reason below: 

NOTE: Requests for Routine NTCM usage involving any of the 7 sensitive circumstances requires a teletype to HQ prepared in the format described in 
the MIOG, Part 11, Section 10-10.3 (8). Request for Emergency NTCM usage involving Item 6 below requires immediate contact with the FBIHQ 
substantive desk for DOJ approval. The 7 sensitive circumstances do not apply to the use of CCTV video only. 

Interception relates to an investigation of a member of Congress; a Federal Judge; a member of the Executive Branch at Executive Level IV or 
above; or a person who has served in such capacity within the previous 2 years. 

Interception relates to an investigation of any public official and the offense investigated is one involving bribery: conflict of interest; or extortion 
relating to the performance of his/her official duties. 

Interception relates to an investigation of a Federal law enforcement official. 

Consenting/nonconsenting party is a member of the diplomatic corps of a-foreign country. 

Consenting/nonconsenting party is or has been a member of the Witness Security Program and that fact is known to the agency involved or its 
officers. 

Consenting/nonconsenting party is in the custody of the Bureau of Prisons or the U.S. Marshals Service. 

Attorney General; Deputy Attorney General; Associate Attorney General; Assistant Attorney General for the Criminal Division; or the U.S. Attorney 
in the district where an investigation is being conducted has requested the investigating agency to obtain prior written consent for making a 
consensual interception in a specific investigation. 

12. Synopsis of Case: (Attach additional page if necessary) 

Elc-ace se© attackod. 


1. 

□ 

2. 

□ 

3. 

□ 

4. 

□ 

5. 

□ 

6. 

□ 

7. 

□ 



Field Approval 

14. CDC (If Sensitive Circumstances Exist) 

Sianature Date: 

13. Justification statement necessitating emergency authorization: 

□ Emergency 30 day authorization granted due to imminent need (within 

48 hours) for use of consensual monitoring device(s), which precluded 
the handling of this request in the usual manner. 

□ Other (Attach Additional Page to Specify) 

15. SAC \ ."?/■ -Y / 

Sianature 1 Is. . * i I. x : . .Date* ^ * 

\ ^ -4 ^ if '// ' 

FBIHQ Approval 

16. Unit Chief (If Sensitive Circumstances Exist) 

Sianature Date-. 

1-Government Attorney's Office 



COPY 4 



FD-302 (Rev. 10-6-95) 


jjjpgp^.y^YI01 COMTIIHED 
HEEEIH IS IWCLASSIFIED 

DATE 07-05-2012 BY 60324/TJC/tiaw'3aBi/aio 


FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 


08/12/98 


emDloved 












FD-302a (Rev. 10-6-95) 



explained| |They share a working 













FD-302a (Rev. 10-6-95) 


288-CI-68562 


Continuation of FD-302 of 


On 08/07/98 


*age 


4 



be 

bee 

b7E 








(0^6/1998) 


ALL INFORIIATIOH COUTAIHED 

HEREII IS IWCLASSIFIED 

DATE 07-05-2012 BY 60324/TJC/baw/sat.yaio 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE 

To: Cincinnati 


Date: 08/13/1998 


Attn: SA 


From: Columbia 

Charleston Ptagirifani- Arrfanr--^/- 
Contact: SA f 

Approved By: 

Drafted By: 

Case ID #: 288-CI-68562 (Pending) 

Title: Unknown Subject; 

Wright-Patterson Air Force Base - Victim; 

CITA - THEFT 

Synopsis: Lead to interview officials at South Carolina Research 

Authority (SCRA)| I 


J 


Administrative: 


jI The results of the interview ot 
1 are set tortn in tne enclosed FD-302. The items provided 
by I [during the interview were furnished in duplicate. The 

originals o :^ the it ems were received by the FBI and a receipt was 


ba 
be 

:b7C 

OTHER Sealed Court Documents 


provided to| |for the items. The original items received 

and the receipt a re also enclosed to this EC. The copy of the 


by 


was made available to AFOSI, 


Enclosures ;_Enclosed for Cl is the original and two copies of an 

T^r)--an9 


I 


interview 


which was jointly conducted by the FBI and AFOSI. 

Also enclosed for Cl are the following: 

1. A 1-A containing the original receipt provided to 
SCRA. 


b 

b 





- / 




To: Cincinnati From: Columbia 
Re: 288-CI-68562, 08/13/1998 


:b3 

OTHER Seal Court D( 



. Columbia Division, Charleston RA, is taking no further 
action regarding this investigation, unless requested to do so by 


FD-302 (Rev. 10-6-95) 


ALL IWFOPBATION COHTAIHED 

HEREIN IS TJIICLAS3IFIED 

DATE 07-05-2012 BY 60324/UC/l3a¥/sal)..' 


FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 08/05/1998 


I _I white male,|_| College 

of Engineering, 628 Engineering Research Center, TJni yersitv of 
Cincjinnati, Cincinnati, Ohio 45221, telephone number 

_I was advised of the identity of the interviewing AgSht and 

the purpose of the interview. 

I _[advised that he had the authority to monitor the 

activities!—ci£—the computers located in the Engineering Research 

Center. |_[signed an FD-472, authorizing the Federal Bureau 

of Investigation to initiate the monitoring of these computers. 

[_[provided a list of the Transmission Control 

Protocol/Internet Protocol (TCP/IP) addresses and fully qualified 
domain names for the computers in the Engineering Research 
Center. 1 also advised that all of these computers 

contained the appropriate banners. 


Investigation on 


07/31/1998 at Cincinnati, Ohio 


288-CI-68562 


Date dictated 08/05/1998 


by Si 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 




FD-472 (Rev. 1-9-92) 


ALL IlFOPIlATIOl COIJTAIIED 
HEPZIH IS UIICL133IFIED 

DATE 0?™05™2012 BY 60324/lTC/tiaw/saB/aio 


Aot.r a\, 1*^16 



(Date) 

UirviOcygLiUi QvyCiVvM-Vv yC Vlr^ 

(Location) 


of 


I_r/ 

_. thereby 

(Address) 


authorize Special Agents __ 





, of the Federal Bureau of 


bo 

:b7C 


and 


install a recording device on any telephone utilized by me for the 
urpose of recording any telephone conversation(s) I may have with 

_ and others as yet unknown 



(Name of Subject(s)) 


(Date) 


and continuing thereafter. 


I understand that I mustN;^ a party to any conversation in order to 
record that conversation. I therefore agree not to leave the recording 
equipment unattended or take any action'^^ich is likely to result in the 
recording of conversations to which I am n^t a party. 

and/or to: 

□ install a Trap and Trace device in conjunct5>an with the 

appropriate provider(s) of electronic or wire c€miiunications 
service and/or long distance carrier for the purpb^ of 
identifying telephone numbers from \dxich incoming calls are 
placed to telephone nuniber 
located at 



volxintarily, and without threats ori 





b7C 



FBI/D OJ 








(01/26/1998) 


ALL FBI IHFOFmTIOH COFTAIIJED 

HEREIJJ IS UIJCLASSIFIED 

DATE 07-05-2012 BT 60324/TJC/]3aw/3alVai 


SECKET 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: PRIORITY 


To: National Security 


Date: 08/23/1998 


Attn: NIP^ 


Prom: Cincinnati 

Squad 4 
Contact: S 




Approved By: 

Drafted By: _ 

Case ID #;(U) '^88-01-68562 , (Pending) 

TitleUNSUB (S); 

UNITED STATES AIR FORCE 
INSTITUTE OF TECHNOLOGY, 



Synopsis (U) (^) Summary update of captioned matter. 


Der3?Ved--^gr^ft'T''G-3 

DeslasSxryUi«~CSl^ 

(U) Details:What follows is a brief synopsis of actions 
accomplished as of 08/21/1998: 


Ci 


FBI Cincinnati obtains consent to monitor UC’s 
College of Engineering and Computer Science subnet 129.137.41.x 
utilizing FBI Form FD-472 on July 31, 1998. 



SEKRET 




Smrchc^, 







To: National Security From: Cincinnati 

Re:(Ui^) 288-CI-68562, 08/23/1998 





^ W I I learned the following, UCs 

system network interface utilizes a 10 megabit Ethernet pipe out 
to the Internet. 

order to monitor UC’s College of Engineering 
and Computer Science subnet, two options exist: 


(U), 


X 


‘■^'1 A mutual suggestion was discussed. Inasmuch that 

SCRA’s network has been blocked from all possible angles from UC, 
WSU, Infinet and WPAFB, the consensus was that SCRA be dropped 
from further scrutiny due to limited resources and time 
constraints. 








* \ 



To: Ifetional Security 

Re:™ 288-CI-68562, 


From: Cincinnati 

08/23/1998 



Cincinnati respectfully requests that FBIHQ 
coordinate with AFOSI HQ (DOD) to ameliorate legality issues 
presented on page three of this communication. 

Cincinnati Division expects to conduct 
witness/suspect/victim interviews during the latter part of 
and the first week of September, 1998. 

Investigation continuing at Cincinnati. 


August, 1998, 

(U) X) 


♦ ♦ 






!RET 


5 









(U) I I Lexis/Nexis, and LEADS confirmed portions of 

the above information and by separate insert added certain 


details. 
















( 01 / 26 / 1998 ) 


ALL FBI IlFOm-aTIOl COMTAII-IED 
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SE^^T 

BUREAU OF INVESTIGATION 


Attn: 

Attn: 


Precedence: PRIORITY 

To: National Security 

Springfield 

From: Cincinnati 

Squad 4 
Contact: SA 

I- 

Approved By 

Drafted By: 

Case ID #(U) ^ i/2^8-CI-68562 - (Pending) 

Title (U) (V) UNSUB (S) ; 

UNITED STATES AIR FORCE 
INSTITUTE OF TECHNOLOGY, 
HACKING ATTACK 


Date: 09/04/1998 


NI PC-CITT. Room 1 


SSA| 

Champaign KA 


,1887; 


bo 

:b7C 


b7E 


X 


SynopsisLead set for Sorinafield Division, Chamoaian RA, 



OTHER Sealed Court Docum 


En closures:Enclosed for Springfield Division. Champaign 
T?A I I 



be 

b7C 


Details: (S) For information of Springfield Division, Champaign 

RA, Cincinnati Division, along with United States Air Force 
Office of Special Investigations (AFOSI), are jointly 
investigating intrusions into computers located at Wright- 
Patterson Air Force Base (WPAFB), Dayton, Ohio. The intrusions 
appear to be originating in Russia, hopping through University of 
Cincinnati, then terminating at WPAFB. The intruder has 
transferred several sensitive, though not classified files, to 

Searchsd.-,^.^ 

Indexed_^—--- 

Fi !sd-,.<< 7 - -- -s- 



e.c 


V 






To: l|ational Security From: Cincinnati 

Re:(U) 288-CI-68562, 09/04/1998 



On 08/26/1998, the intruder was observed making 
connections to various other sites not previously seen, to 
include Eastern Illinois University (EIU). At approximately 0403 
CUT, August 31, 1998, the intruder connected to uxl.cts.eiu.edu 
(139.67.8.3) via telnet, and subsequently via File Transfer 
Protocol (FTP). Cincinnati Division is desirous of obtaining the 
username which the intruder accessed into EIU’s system. 

Cincinnati Division appreciates assistance from 
the Springfield Division, Champaign RA. 
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Set Lead 1: 
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15:15:18 

Case ID: 288-CI-68562 
Serial: 15 


DECLASSIFIED BY 60324/UC/baw/sab/aio 
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Lead Upload Report ICMLPEll 

Page 1 


Lead 1 Set to: SPRINGFIELD 


Total leads set: 
Total leads not set: 


1 

0 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 


09/19/98 


purpose of the interview, 
following information; 



- non 

ssanI 

PObI Ivis 

TW _ 

1 Telephone:] 


fromf 


voluntarily furnished the 

f 


advised she came to Cincinnati under an F-1 visa 

She cho se to attend 
because it 


was one of the few univers ities that acc epted her. She obtained 


limited funds from 


an entity fromf 


] that funds 


studftutfi tn study abroad. 

candidal ini _ 


ShP- is currently a Ph.D. 


Prior to arriving in the U.S.I 


was employed as a 


involvedT 


1 Her duties 




I tjc'T-VoH ag 


at the 


Her ~iob entai led 


~l attended and Htndiedr 


obtained an M.S. degree in 


She 


at 


p dvised she has n o family and/or relatives 
' ] Sh e maintains tele phonic and e- 


residing with her,_, _ 

mail contact with family and friends[ 


■revealed ehe rrave h er computer password OUt to 


[ SO that he c ould e-mai l 


She 


her boyfriend_ 

messages to her. Her password at that time was_ 

claims she changed her password after only two days because she 
knew it was wrong to give out her password. He r boyfriend is a 

She claims not to 


■bo 

:b7C 


.b6 

:b7C 


be 

;b7C 


Investigation on 09/18/98 


Cincinnati, Ohio 


File/? 288-CI-68562 

saI 

by SA 


Date dictated 09 / 19 /98 


2L\ l^t, 

This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


be 

b7C 




FD-302a (Rev. 10-6-95) 


288-CI-68562 


Continuation of FD-302 of 


, On Q^ /98_ j Page 


know whether her boyfriend ever served with 
and/or ever held a clearance. 


affirmed she visited her par ents and friends in 

\ n li^ ith respect to her 

jexpects to remain atJ Ifor another four 
'] Upon 


be 

:b7C 


long term goafs,^i ^ 
to five years to pursue her Ph.D.[ 


graduation, she would like to work in the U.S. for about one 
year, provid ed she can find a host and obtain employment, before 


returning to 


or some other European country. 


_ stated she has never maintained contact with any 

government officials either in the U.S. or overseas. She has 
never been tasked by a Foreign intelli gence Of ficer to operate 


either covertly or overtly in the U.S. 


advised she would 


contact the writer if anv unu sual activity would ev ^r take place 
concerning her studies 


and her travels abroad 


is currently a 
stipend to cover tuition and modest iivina, 


she receives a 
expenses._Her research, though unclassified, involves 


wherein 


b6 

b7C 



recalled that in 

informed by the systems adrainistratOf td Chsngs 


or so, she was 
her password. 


She learne d that someone unknown had used her password to hack 
into l [ network using her account. She changed her password 
and never heard back from the systems administrator. 


b6 

b7C 
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DATE 07-06™2012 BY 60324/lTC/tiaw/saB/aio 


- 1 - 

ih.; ' FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 09 /14 / 98 


DOB 

SSANi 1 


telephone: 

was advised of tne identity o; 

: the interviewing 

Agents and the purpose of the interview. 

voluntarily 


furnished the following information: 


I_Irecollected that on or about May 15, 1998, 

he returned from a business trip to Japan. Upon returning to 
work, he was informed by two co-workers that his Picard account 
had been hacked into. He learned that the intrusion came from 
the University of Cincinnati (UC). 


I_I revealed that his computer usage is minimal. 

He uses the computer for word processing and e-mail. He has two 
e-mail accounts; Picard for long distance e-mail and Teamlinks 
for e-mail within Wright Patterson Air Force Base (WPAFB). 


I_I advised that as a result of the hacking 

incident, the computer network systems administrator issued 
everyone with a new password, based on name and telephone number. 
Despite this precaution, the account was again hacked. As 
recently as July, 1998, the systems administrator instructed 
every user to alter their passwords to make them more difficult 
to penetrate. 


_ relayed that his Picard e-mail contacts are 

extensive. He stated that in the last year he has received many 
messages from the U.S. and from numerous countries abroad to 
include: England, France, Germany, Finland, Russia, Chile, 

Japan, anri 1 1 a. The e-mail message from Russia 

a rep uted well kn own scienti st from 
J He believesi I is from 


came fromi 


J recalled that 


has traveled to 


Dayton and/or Colu mbus, Ohio and San Francisco, California 




sometime in 1996, 

seeking joint venture projects with WPAFB researchers. WPAFB is 


annually makes numerous requests 


precluded 


from accepti ng anv joint venture proj ects with 


according to[ 


added that 


has published numerous articles on titanium aluminite. 


recollected that he received one e-mail 


b6 

:b7C 


b6 

b7C 


be 

b7C 


Investigation on 09/11/ 98 


at Dayton^ Ohio 


li 


File# 288-CI-68562 

sa[ 

by SA| 


Date dictated 09 /14 / 98 




"SN 


(AFOSI) 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 


be 
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Continuation of FD-302 of 


On 09/11/98 


, Page 


message from a 
scientific researcn. 


who inquired about 


2 


According to 


his e-mail contacts with U.S. 


persons and individuals overseas are all researchers and 
scientists from sundry educational institutes. The e-mail 
messages co ncern scientific discussions relating to metallurgy. 

asserted that none of his e-mail c ontacts appear to be 


out of the scope of his purview. |_]added that none of 

the e-mail messages requested secret or proprietary information 


_ ^ 

1 revealed he obtained his U.S. citizenship on 
LS—a_ g-i.qbf^T- anri r«oiiging r-iagi rli nr-f in England. 

1 ri 


He has worked in 

in the past. As 


a physicist working in the aforementioned countries, he has never 
held a security clearance. He maintains no foreign government 
contacts. 


be 

:b7C 
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FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 


09/14/98 


I 


IdobF 


_. SSANI 

telephone :|^ 


advised of the identity of the int erviewing Agents and the 'f) 


purpose of the interview, 
following information: 


J was\ 
ae 


voluntarily furnished the 


recalled that approximate ly a few montl^ s ago she 


received a telephone call on a Monday from 




(ATI- 


CORP), inquiring whether or n ot she w as logged on to their system 


at 3:00 A.M. in the morning. [ 


responded negatively and 


from that moment forward they realized that an unknown individual 
utilized her username and password to break into the SCRA/ATI- 
CORP computers and then into Wright Patterson Air Force Base 
(WPAFB), Dayton, Ohio. 


_ had an account at SCRA/ATI-Corp for about three 

years to transfer files and slides relating to the Rapid 
Prototyping of Application Specific Signal Processing (RASSP) 
program. She stated that she no longer holds this account since 
this incident occurred. The account was shut down. She claims 
that none of this information was classified or sensitive. Her 
job requires that she review material to ensure that it is 
cleared for public domain. The information was publicly 
released/releasable. 


[advised she maintains accounts on elhp and 
Fleetwood at her offi ce. She also has roo t password with her 
system administrator, I I maintains a flyer net 

account and a sabre account at the University of Dayton (UD). 

She had an account at the Air Force Instit ute of Te chnology 
(AFIT) but believes it is no longer valid. | 1 had a 

temporary account at the University of Cincinnati (UC) fo r a 
three day course she attended at UC I I She 

held one other account at a company called RTI but believes it is 
no longer open. 


asserted that her ATI-Corp account was mainly 
used for education modules and to transfer files through FTP. 


She occasionally remote shelled to that account. 


recalled 


that a week prior to this incident, she logged onto the ATI-Corp 
machine to FTP some files. She believes she logged on from elhp. 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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:b7C 
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|(AFOSI) 



1 



FD-302a (Rev^ 10-6-95> 


288-CI-68562 


Continuation of FD-302 of 


, On 09 /11/98_j Page 


She FTP’d information from her PC on other occasions, 


affirmed that she has never given out any of her 
passwords w ith the exception of her root password on elhp which 
I I has access to. 


bo 

b7C 


revealed that her password 


at ATI-Corp 


was a combination of upper and lower case let ters and symbols 


which would have be en difficult to de cipher. 
password to| |per the request off 


I 


changed her 


[added that “the subject probably could have 
gotten away with it if they wouldn’t have logged in at 3:00 A.M. 
on a Sunday morning." 


Iwas born inf 


resides inf 


__ the daughter of a 

She has one brother who 


1 with their m other. Her father is deceased. 

to finish high school in 


arrived in the U.S. in 


returned to|_ 

English grammar atf 


1 where her b rother previously resided. She 


to visit her parents and taught 


three months during the summer. 


]for 


bo 

:b7C 


I_I was previously married to an a ctive duty U.S. 

military serviceman. She has been divorced for i Hv ears. 


She 


■i1 1 7 a n .through her previous marriage to a U.S. 

occasionally travels ov erseas to visit h^ 


\ Her last trip 


1 


was 


is a U.S. 
citizen, 
family 
years ago. 

clearance e'ltheir Ih the U.S. or overseas._ 

limited contact with friends and family overseas via e-mail. 


approximately 

affirmed she has never^Jasld_a_security 


maintains 
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(01/26/1998) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: PRIORITY 


To: National Security 


Attn; NIPC::i 
SSA^ 


Date: 09/19,/1998 

J. Room 11887; 


From: Cincinnati 

Squad 4 
Contact: Si 


Approved By: 


Drafted By: 
Case ID #:(U) 



^^8-CI-68562 (Pending) 


Title: 


JGED 

MOONLIGHT MAZE 


Synopsis (U) Interviews conducted at Cincinnati Division. 

J) ^B©rive4Fr^gu-^-'S^ 

Deciaseif^^^^Oni^JQ 

Previous Title/^^ (K) Title marked “Changed” to reflect new title 
as, “MOONLIGHT MAZE.” Title previously carried as, “UNSUBS; 
UNITED STATES AIR FORCE INSTITUTE OF TECHNOLOGY, HACKING ATTACK 

ON: I-1 




Enclosures Enclosed for FBIHQ are three s eparate c opies of 

FD-302S of interviews conducted by the writer of|| 

la nd one Air Force Form 1168 witn attached 
statement of II 


DetailsFor information of FBIHQ, FBI Cincinnati and 
United States Air Force, Office of Special Investigations 
(AFOSI), Wright-Patterson AFB, Dayton, Ohio, conducted four 
victim/witness interviews. The results of those interviews are 
enclosed as enclosures for NIPC-CIU, FBIHQ. 

- 1 m Cincinnati Division plans to re-interview!_ 

_I based on her nervous demeanor and her apparent, less than 

candid responses concftrnina boyfriend who re sides in _ 

_ comp uter password at __ 

I will be closely monitored to 




_ 


i ifC 






To: National Security From: Cincinnati 

Re:m 288-CI-68562, 09/19/1998 


determine whether a change in the subject(s) modus operandi 
(hacking tools and signature) is detected. A change in the 
subject(s) hac king activity could explain a nexus between the 
subject(s) and I I considering h er telephonic and e-mail 

contact,q with, her boyfriend I I and her recent travels 


Based on the aforementioned, Cincinnati Division 
will re-interview the s^ ib-ioct with af^d itional probing questions 

land if deemed arjpropriate, 


concerning her contacts_ 

will consider the use of a polygraph 







To: Cincinnati From: Springfield 

Re:(U)^) 288-CI-68562, 09/28/1998 


directly. Per telcall between SA|_|and SSa|_ 

nothing will be sent directly to the National Security Division 
for evaluation. Springfield considers this lead covered. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date; 08/24/1998 


To: Cincinnati Attn: 


From: NSD 

NIPC/CIOS/CI U/11719 
Contact: SSAT 


Approved By: 
Drafted By; 


Case ID #; 288-CI-68562 (Pending) 

Title; UNSUB(S); 

UNITED STATES AIR FORCE 
INSTITUTE OF TECHNOLOGY - VICTIM; 

CITA - COMPUTER INTRUSION; 

00: CINCINNATI 

Synopsis; This communication is to forward documents to the 
original case file. Referrai/consuit 

Rnf’i offiire f; T wo copies of Request For Information letters sent 
to I I One copy of response from NAVCIRT regarding 

possible material related to captioned matter. 

Details; Enclosed for Cincinnati are copies of documents 
generated by or directed to the National Infrastructure 
Protection Center (NIPC) regarding captioned matter. These 
documents are being forwarded to Cincinnati for inclusion in the 
original case file. 


♦♦ 











ALL IlFOPlIATIOl COJJTAIMED 
HEPIIH 13 UIICL133IFIED 
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U.S, Department of Justice 


Federal Bureau of Investigation 


Washington, D. C. 20535-0001 

August 4,1998 


Ded 


Referral/Consult 


This letter is to request information fron J databases and published reports that 
may be relevant to an ongoing FBI criminal investigation, i ne investigation centers on a series 
of intrusions into computer systems located at Wright Patterson Air Force Base. The intrusions 
appear to originate from a series of Internet service providers located in the Russian Federation. 

It also appears that the intruder is connecting to the ISPs through a "dial-up" connection, which 
suggests a local (i.e. Russian) point of origin. The FBI currently possesses no information 
inScating that the attacker is a U.S. person. 

Technical information relevant to this request is provided in the enclosure, which 
also specifies an operational point of contact in the FBI. As additional technicalii^ormation 
becomes available, it will be forwarded to the operational point of contact at 


The FBI l egal contact point for this matter is Assistant General Counsel! 


Thank you tor your assistance in this matter. 


1 Please do not hesitate to call him if you require additional information. 


] 


Sincerely, 


Associate General Counsel for National 
Security Affairs 


he 

b7C 


ccl 


OGC/m 


I 


1 



V 


The Wright Patterson Air Force Base (WPAFB), a key educational and research ^d 
development base, has documented numerous intrusions into approximately eight of their 
systems. The attacks primarily come through computers located in the computer lab at the 
University of Cincinnati. However, attacks have been seen from Wright University, located in 
Dayton, OH and Aticoip.net located in Charleston, SC. The intrusions into these U.S. systems 
appears to be originating from a dialup connection to four Internet Service Providers (ISPs) 
located in Russia. The hacking occurs Monday through Friday, midnight and approximately 
9:00 a.m. EDT. 


The following are thq 


bnvolved: 


:b7E 


The following passwords or environment variables have been used during the intrusions: 


The following are usernames, software authors or tool names: 


b6 

:b7C 


is the name ofl 


student whose accoimt is being used at 


Our information indicates she is a non-U.S. 


person.) 


The following files are known to have been taken by the hacker from WPAFB: 


:b7E 


NIPC Operational POC is SSA 


be 

b7C 
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U.S. Department of Justice 


Federal Bureau of Investigation 


Washington, D. C. 20535-0001 

August 3,1998 


Referral/Consult 


Ded 


This letter is to request information froi^ 


patabases and published reports 
The investigation centers on a 


, that may be relevant to an ongoing FBI criminal investigation. _ 

series of intrusions into computer systems located at Wright Patterson Air Force Base. The 
intrusions appear to originate from a series of Internet service providers located in the Russian 
Federation. It also appears that the intruder is connecting to the ISPs through a "dial-up" 
coimection, which suggests a local (i.e. Russian) point of origin. The FBI currently possesses no 
information indicating that the attacker is a U.S, person. 


Technical information relevant to this request is provided in the eiiclosure, which 
also specifies an operational point of contact in the FBI. As additional tec hnical info rmation 
becomes available, it will be forwarded to the operational point of contact aj_| 

_ Thft FT^T legal contact point for this matter is Assistant General Counsel I-^— 

I Please do not hesitate to call him if you require additional information. 
Thank you for your assistance in this matter. 


Sincerely, 


Associate general counsel lor National 
Security Affairs 


.b6 

:b7C 


pGC/NIPC 

NSA 


1 




U.S. Department of Justice 
Federal Bureau of Investigation 



Washington, D. C. 20535-0001 


August 31,1998 



FBI criminal investigation. The investigation centers on a series of intrusions into computer 
systems located at Wright Patterson Air Force Base. The intrusions appear to originate from a 
series of Internet service providers located in the Russian Federation. It also appears that &e 
intnider is connecting to the ISPs through a "dial-up" connection, which suggests a local (i.e. 

Russian) point of origin. The FBI currently possesses no information indicating that the attacker 
is a U.S. person, 

TJlS.EELhss already made (in an August 21,1998, letter addressed to Acting 

General Counse l I a standard Request for In formation in connection with this_ 

(U) investigation. The purpose of this letter is to add a technical assistance request so tha j ~| 

expert persohiiel can assist the FBI iiwestigators on certain technical questions relating to bt 

computer data collected by the FBI. ^ b' 

_ The FBI legal contact point for this matter is Assistant General Coimsel l 

I Please do not hesitate to call him if you require additional information, 
i nanK you tor your assistance in this matter. (U) 

Sincerely, _ 

be 

b7C 

Associate General Counsel for National 
Security Affairs 
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Q Confidential 
O Sensitive 
□ Unclassified 


Time Transmitted: 
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Number of Pages: _2_ 

(including cover sheet) 


To: NSA/OGC _ 

Name, of Office 


Date: 08/31/1998 


Facsimile Number: 301-688-6017 


Attn: 

' Name Room reiepnone 


bo 

bIC 


From: NIPC 


Name of Office 


Subject: Technical Assistance Request 


Special Handling Instructions: 


Originator's Name: 


Originator's Facsimile Number: 202-324-0311 


Telephone: 


Approved: MJW _ 

Brief Description of Communication Faxed: See Attached 


■bb 

b7C 


WARNING 

Information attached to the cover sheet is U.S. Government Property. If you are not the intended recipient of this 
information, disclosure, reproduction, distribution, or use of this information is prohibited (18.USC, § 641). Please notify the 
originator or the local FBI Office immediately to arrange for proper disposition. 
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FBI FACSIMILE 
COVER SHEET 


PRECEDENCE 

CLASSIFICATION 



[~~| Immediate 

^n^Tog^cret 

Time Transmitted: 

i:s% Y-. 

O Priority 


Sender's Initials: 

MJW 

[Xl Routine 

□ Confidential 

Number of Pages: 

2 


□ Sensitive 

Q Unclassified 

(including cover sheet) 


To: NSA/gl» 


Date: 08/31/1998 


Name of Office 

Facsimile Number: 410-859-4888 

Attn: I 


Name 


Room 


Telephone 


b6 

hlC 


From: NIPC 


Name of Office 


Subject: Technical Assistance Request 


Special Handling Instructions: 


Originators Name: 


Originator's Facsimile Number: 202-324-0311 


Telephone: 


Approved: MJW _ 

Brief Description of Communication Faxed: See Attached 
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U.S. Department of Justice 


Federal Bureau of Investigation 


In Reply, Please Refer to 
File No. 


550 Main Street, Room 9000 
Cincinnati, Ohio 45202 
September 21, 1998 


SA 

USAr uttice ot special Investigations 
AFOSI Detachment 101 

4165 Communications Boulevard, Suite 3 
Wright-Patterson Air Force Base, Ohio 


45433 


To Whom It May Concern: 

Upon expiration of AFOSI’s Form 52 (Consensual 
Monitoring) at Wright State University (WSU), FBI Cincinnati will 
continue monitoring computers at WSU utilizing AFOSI monitoring 
equipment. Consensual monitoring will be in effect as of the 
date of this communication to the conclusion of this matter, 
pursuant to FBI Form FD-759, Notification of SAC authority 
granted for use of consensual monitoring equipment. 

Sincerely yours, 


■bo 

:b7C 




Sheri A. Farrar 
Special Agent in Charge 


By: I-1 

Supervisory Special Agent 


■bb 

b7C 


1 - Addressee 

(I - Cincinnati (288-CI-68562) 
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In Reply, Please Refer to 
FileNo. 288-CI-68562 


U.S. Department of Justice 


Federal Bureau of Investigation 


550 Main Street, Room 9000 
Cincinnati, Ohio 45202 
October 6, 1998 


DCFL 

500 Duncan Avenue, Room 1009 
Bolling AFB, DC 20332-6000 

SUBJECT: Request for Computer Forensic Media Analysis 


1. COMPLETE SUBJECT TITLE BLOCK INFORMATION: Wright-Patterson 
AFB, Ohio, June 1, 1998, Unauthorized access of governmental and 
civilian computer systems. Violation of Title 18, USC, Section 
1030; Fraud and Related Activity in Connection with Computers. 

2. PRIORITY: This is a Category 1 intrusion on several military 
systems. This joint investigation is considered one of the 
highest priority cases within the FBI and AFOSI realms. The 
analysis of the enclosed tapes is requested immediately by the 
Department of Justice, Department of Defense, the Federal Bureau 
of Investigation and AFOSI. 


3. CLASSIFICATION: This investigation is classified, however 
the evidence is not. 


4. CO-CASE AGEN TS: SA 
Ohio, commercial [ 

101. WPAFB. O^ o. DSN 


commercial 


A-POCT 


SA 


commercial; 


WPAFB, Ohio, DSN 


FRT■ C l nonnnati, 

I AFOS T Det 


5. SYNOPSIS OF THE CASE: On or about June 1, 1998, WPAFB began 
detecting intrusions at several Air Force In stitute of Tech nology 
and Air Force Research Laboratory machines. I I_ 


I_ The intrusions originally 

were detected coming through the University of Cincinnati; 
however, additional intrusions have been detected at several 
education sites and numerous Internet Service Providers. The 
unidentified intruder uses authorized accounts and valid 
passwords to gain access into the victim systems and then FTP’s 
files, telnets to another system or pop roots. To date, 
investigative agencies have not been able to detect any sniffer, 
rootkit or trojanized programming. 
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6. ITEMS TO BE ANALYZED: 


1. One 3GB Hard Drive, Western Digital Caviar 33100 
(University of Wisconsin). Remarks: AFOSI Form 96 will be 
e-mailed to DCFL. The OS and other pertinent information will be 
on 96. 


2. One 4mm Digital Data Storage cartridge, 120M, 
labeled NVTST/OX, (Wright State University). Remarks: Ditto as 
above. 


3. Two 8mm Helical-Scan, HS-8/112 Maxell Data 
Cartridges | | 

SUPPORT REQUESTED: 


Extract all system logs, text, document, etc. 

Examine file system for modification to operating 
system software or configuration. 

Examine file system for back doors, check for setuid 
and setgid files. 

Examine file system for any sign of a sniffer program. 

Extract data from this 4mm/8mm tape and convert to 
readable format - cut to CD. 

Backup hard drives and place backup on a CD, tape or 
other format. 

Analyze for deleted files and restore deleted files, 
cut findings to CD. 

Extract all pertinent text files of a sexual nature. 

Extract all trojanized programs or scripts/code 
programs, cut to CD. 

Provide an analysis report and cut all findings to CD. 


7. PERTINENT DATA: 
with pertinent data. 


Coordinate with SA 


and HQ AFOSI/XOII 


8. AUTHORITY: OSI Form 96 will be sent electronically. 


9. OTHER DOCUMENTS: The ACISS report is, the same as the one 
sent on the August 26, 1998 request. 

10. INSTRUCTIONS: Please make five copies and send all copies 
of the analysis report to HQ AFOSI/XOII. HQ AFOSI/XOII will 
distribute the analysis accordingly. Please return all evidence 
to FBI Cincinnati. 
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ILL IlFOPmTIOl COimillED 

HEPEIl IS OTCLAS3IFIED 

DATE 07-06-2012 BY 60324/lTC/Liaw/sati, 


FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 


10/26/98 


I_I Date of Birth (DOB)I _ | Social 

Security Account Number (SSAN) r I was advised of the 

identities of the interviewing Agents and the purpose of the 
interview. | [voluntarily furnished the following 

information: 


_[identified her boyfriend asl __[ 

_ a white ma le, D0B[_. J resides in 

I He is a_who works at a 

factory [ [ which utilizes a lurbo p rop to pump and 

maintain oil for commercial purposes. [ was unable to 

identify the factory location a nd was unable to comment whethe r 
the factory has a nv ties to the[ 

She recal led that I lhas wo rked there since late I 

_recently informed_that he is in search of a new 

job. 

advised h er most recent contact with[_[ was 

apprnyiinatplvl ban via e-nnail . I [most recently 

visited __[ She stayed with her 

family foi_while visiting friends and family. 

Prior to enrolling at 


obtained financial assistance from|_| a foundation that 

provides funds for European students to study abroad. I | 

logged ontol I 

I web site and learned from an adviso r the t ype of 

rese arch that is conducted at that department. _ liked what 

program had to offer, and as a result, she matriculated at 
f [is a Ph.D. gandida^t e matriculated in the 

aforementioned program 


advised her research at 


involves 





application. 


According to|_| mixed signal design can be 

applications to includ e mi litary 
advised her research at □ is strictly 



This document contains neither recommendations nor conciusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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Continuation of FD-302 of 


, On 10/ 16/98 _^ Page _ 


theoretical research, shQ_doaa- 
the research s he conducts 


Embassy L 


f 


ot know who the end user is. of 


Her 


recalled that during her visit at the U.S. 




she was interviewed 


by an embassy employee concerning her request for an exit visa to 
study abroad. The employee spoke Romanian and English. He asked 
the following questions; 


1. Who is funding your trip? 

2. How long will you be in the U.S.? 

3. Why are you traveling to the U.S.? 

4. When will you return? 

5. Do you have any family in the U.S.? 

6. Will you be working in the U.S.? 


_I asserted the interview lasted approximately 

fifteen minutes. The interviewer was male and was dressed in a 
suit and tie. The interview was conducted within the confines of 
the gener al offi ce space where there was no expectation of 
privacy. I I affirmed that at no time was she asked, promised, 

and/or influenced to cooperate with embassy officials and/or 
other government employees. 


stated that she m aintains we ekly e-mail 


ad" 


corre spondence with h er boyfriend, 
family | Her contacts', 

advised that_ has a very small [_ 

approximately once a month for social 
that she would contact the FBI 


a 


and other friends and 
are very limited. She 
group that m eets 
added 


functions. _ 

in the' event she feels threatened 
and/or is confronted by any unusual person(s). 


advised she would not object to a polygraph if 


requested to do so. 




ALL INFOEHATIOB COJITAIIIED 

HEBZIH IS UICLASSIFIED 

DATE 07-06-2012 BY 60324/UC/baw/3ab/aio 





In Reply, Please Refer to 
FUe No. 


U.S. Department of Justice 


Federal Bureau of Investigation 


550 Main Street, Room 9000 
Cincinnati, Ohio 45202 
November 3, 1998 


Furman University 
3300 Poinsett Hwy. 
Greenville, SC 29613 


Dear 


RE: Notice to Preserve Evidence Under 

Title 18, U.S.C., 2703(f) 


This letter is to follow up our telephone conversation 
on November 2, 1998. As I stated at that time, I am a Special 
Agent for the Federal Bureau of Investigation (FBI), a duly 
authorized federal law enforcement officer empowered to 
investigate unauthorized access into private, state, local and 
federal computer systems. As previously discussed, during the 
following dates: September 22 and 24, 1998, an unknown 
individual illegally entered a state inwned aredemir i natji tutional 
computer system at sumac.occ.uc.edu. 


According to our investigation, this coi jimunication oriainatec^ or 
passed through your system, furman.edu. 


b6 
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This letter serves to inform you that I will be 
pursuing the issuance of a subpoena and/or court order under 
Title 18, U.S.C., 2703(d), respectively, to trace the unknown 
individual back from your system. Inasmuch that this process can 
be time consuming, I have requested, pursuant to Title 18, 

U.S.C., 2703(f), that you take appropriate measures to preserve 
transactional logs, contents of any relevant communications, 
back-up files, and any other evidence that pertains to the 
aforementioned connections. 


For ease of reference. Title 18, U.S.C., 2703(f), 

provides: 


(f) Requirement to preserve evidence. 

(1) In general." A provider of a wire or 
electronic communication service or a remote computing service, 
upon the request of a government entity, shall take all necessary 
steps to preserve records and other evidence in its possession 


pending the issuance of a court order or other prj 
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(2) Period of retention.- Records referred to in 
paragraph (1) shall be retained for a period of 90 days, which 
shall be extended for an additional 90 day period upon a renewal 
request by the governmental entity. 

Finally, although you have been most cooperative, we 
have in other situations, experienced some informational leaks. 
While such leaks may represent misplaced good intentions, they 
can have serious impact upon our investigation. Accordingly, we 
would respectfully request that your personnel be placed on 
notice that they are subject to criminal liability should they 
disclose any privileged information. The governing statute in 
this regard is Title 18, U.S.C., 2232(b), which provides: 

(b) Notice of Search.- Whoever, having knowledge that 
any person authorized to make searches and seizures has been 
authorized or is otherwise likely to make a search or seizure, in 
order to prevent the authorized seizing or securing of any 
person, goods, wares, merchandise, or other property, gives 
notice or attempts to give notice of the possible search and 
seizure to any person, shall be fined under this title or 
imprisoned not more than five years, or both. 


Again, I greatly appreciate your cooperation in this 
matter with our agency. If vou have anv questions or comments, 
please feel f ree to call SA at 


Sincerely yours, 

Sheri A. Farrar 
Special Agent in Charge 


By: 


Supervisory Special Agent 




ILL IlFOPmTIOM COI-ITAIllD 

HEPEIl IS UIICLAS3IFIED 

DATE 07-06-2012 BY 60324/UC/Liaw/saB/aio 


U.S. Department of Justice 



In Reply, Please Refer to 
File No. 


Federal Bureau of Investigation 


550 Main Street, Room 9000 
Cincinnati, Ohio 45202 
November 3, 1998 


University o£ Pittsburgh 
600 Epsilon Drive 
Pittsburgh, PA 15238 

RE: Notice to Preserve Evidence Under 

Title 18, U.S.C., 2703(f) 


Dear 


This letter is to follow up our telephone conversation 
on November 2, 1998. As I stated at that time, I am a Special 
Agent for the Federal Bureau of Investigation (FBI), a duly 
authorized federal law enforcement officer empowered to 
investigate unauthorized access into private, state, local and 
federal computer systems. As previously discussed, during the 
following date(s): September 18, 1998, an unknown individual 
illegally entered a state o wnp^t^ in.qti tn i-,innal computer 


system at sumac.occ.uc.edu. 


According to our 


investigation, this communication originated or passed through 
your system, unixs2.cis.pitt.edu. 


This letter serves to inform you that I will be 
pursuing the issuance of a subpoena and/or court order under 
Title 18, U.S.C., 2703(d), respectively, to trace the unknown 
individual back from your system. Inasmuch that this process can 
be time consuming, I have requested, pursuant to Title 18, 

U.S.C., 2703(f), that you take appropriate measures to preserve 
transactional logs, contents of any relevant communications, 
back-up files, and any other evidence that pertains to the 
aforementioned connections. 
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For ease of reference. Title 18, U.S.C., 2703(f), 

provides: 


(f) Requirement to preserve evidence. 

(1) In general.- A provider of a wire or 
electronic communication service or a remote computing service, 
upon the request of a government entity, shall take all necessary 
steps to preserve records and other evidence in its possession 
pending the issuance of a court order or other^^^cg^._^^^j 5 ^^^_^ • 

SearaiedlT 

Indexed_ 
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(2) Period of retention.- Records referred to in 
paragraph (1) shall be retained for a period of 90 days, which 
shall be extended for an additional 90 day period upon a renewal 
request by the governmental entity. 

Finally, although you have been most cooperative, we 
have in other situations, experienced some informational leaks. 
While such leaks may represent misplaced good intentions, they 
can have serious impact upon our investigation. Accordingly, we 
would respectfully request that your personnel be placed on 
notice that they are subject to criminal liability should they 
disclose any privileged information. The governing statute in 
this regard is Title 18, U.S.C., 2232(b), which provides: 

(b) Notice of Search.- Whoever, having knowledge that 
any person authorized to make searches and seizures has been 
authorized or is otherwise likely to make a search or seizure, in 
order to prevent the authorized seizing or securing of any 
person, goods, wares, merchandise, or other property, gives 
notice or attempts to give notice of the possible search and 
seizure to any person, shall be fined under this title or 
imprisoned not more than five years, or both. 

Again, I greatly appreciate your cooperation in this 
matter with our agency. If you have anv questions or comments, 
please feel fr ee to call SA at 


Sincerely yours, 

Sheri A. Farrar 
Special Agent in Charge 


By, 


Supervisory Special Agent 






All IlFOm-IiLTIOM COMTAIIffiD 
HEREII IS IWCLISSIFIED 

DikTE 07-06-2012 BY 60324/TJC/lDaw/saii/aio 


U.S. Department of Justice 



In Reply, Please Refer to 
File No. 


Federal Bureau of Investigation 


550 Main Street, Room 9000 
Cincinnati, Ohio 45202 
November 3, 1998 


Harvard University 
Network Services Division 
Office for Information Technology 
-3r0—Warre—Street l • 

Cambridge, MA 02138 


RE? Notice to Preserve Evidence Under 
Title 18, U.S.C., 2703(f) 


Dean 


This letter is to follow up our telephone conversation 
on October 30, 1998. As I stated at that time, I am a Special 
Agent for the Federal Bureau of Investigation (FBI), a duly 
authorized federal law enforcement officer empowered to 
investigate unauthorized access into private, state, local and 
federal computer systems. As previously discussed, during the 
following dates; September 22 and 24, 1998, an unknown 
individual illegally entered a state ar.adATnir! institutional 

computer system at sumac.occ.uc.edu. 
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According to our investigation, this communicat ion or iginated or 
na.ciapf^ tT-irnnrfh vpnr system, jsbach.harvard.edu. 
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This letter serves to inform you that I will be 
pursuing the issuance of a subpoena and/or court order under 
Title 18, U.S.C., 2703(d), respectively, to trace the unknown 
individual back from your system. Inasmuch that this process can 
be time consuming, I have requested, pursuant to Title 18, 

U.S.C., 2703(f), that you take appropriate measures to preserve 
transactional logs, contents of any relevant communications, 
back-up files, and any other evidence that pertains to the 
aforementioned connections. 


provides: 


For ease of reference. Title 18, U.S 


(f) Requirement to preserve evidence 


,C., 2703(f), -^r 

Searched-- 

incaxed^.— 

Fifed. 


(1) In general.- A provider of a wire or 
electronic communication service or a remote computing service, 
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upon the request of a government entity, shall take all necessary 
steps to preserve records and other evidence in its possession 
pending the issuance of a court order or other process. 

(2) Period of retention.- Records referred to in 
paragraph (1) shall be retained for a period of 90 days, which 
shall be extended for an additional 90 day period upon a renewal 
request by the governmental entity. 

Finally, although you have been most cooperative, we 
have in other situations, experienced some informational leaks. 
While such leaks may represent misplaced good intentions, they 
can have serious impact upon our investigation. Accordingly, we 
would respectfully request that your personnel be placed on 
notice that they are subject to criminal liability should they 
disclose any privileged information. The governing statute in 
this regard is Title 18, U.S.C., 2232(b), which provides: 


(b) Notice of Search.- Whoever, having knowledge that 
any person authorized to make searches and seizures has been 
authorized or is otherwise likely to make a search or seizure, in 
order to prevent the authorized seizing or securing of any 
person, goods, wares, merchandise, or other property, gives 
notice or attempts to give notice of the possible search and 
seizure to any person, shall be fined under this title or 
imprisoned not more than five years, or both. 


Again, I greatly appreciate your cooperation in this 
matter with our agency. If you have any questions or comments. 


Please feel free to call SA^ 




at 


Sincerely yours, 

Sheri A. Farrar 
Special Agent in Charge 


By, 


Supervisory special Agent 





All IlFOEimTIOH COimilED 
HEFlIl 15 UIICLA33IFIED 

DATE 07™06”2012 BY 60324/UC/baw/3aB/aio 

U,S* Department of Justice 



In Reply, Please Refer to 
File No. 


Federal Bureau of Investigation 


550 Main Street, Room 9000 
Cincinnati, Ohio 45202 
November 3, 1998 


Bryn Mawr College 
101 North Merion Ave. 
Bryn Mawr, PA 19010-2899 


RE; Notice to Preserve Evidence Under 
Title 18, U.S.C., 2703(f) 


Dear 


This letter is to follow up our telephone conversation 
on October 30, 1998. As I stated at that time, I am a Special 
Agent for the Federal Bureau of Investigation (FBI), a duly 
authorized federal law enforcement officer empowered to 
investigate unauthorized access into private, state, local and 
federal computer systems. As previously discussed, during the 
following date(s): September 23, 1998, an unknown individual 
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This letter serves to inform you that I will be 
pursuing the issuance of a subpoena and/or court order under 
Title 18, U.S.C., 2703(d), respectively, to trace the unknown 
individual back from your system. Inasmuch that this process can 
be time consuming, I have requested, pursuant to Title 18, 

U.S.C., 2703(f), that you take appropriate measures to preserve 
transactional logs, contents of any relevant communications, 
back-up files, and any other evidence that pertains to the 
aforementioned connections. 


For ease of reference. Title 18, U.S.C., 

provides: 


(f) Requirement to preserve evidence. 



S? f ia! 

indexed_ 
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(1) In general.- A provider of a wire or 

electronic communication service or a remote computing service, 
upon the request of a government entity, shall take all necessary 
steps to preserve records and other evidence in its possession 
pending the issuance of a court order or other process. 
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(2) Period of retention.- Records referred to in 
paragraph (1) shall be retained for a period of 90 days, which 
shall be extended for an additional 90 day period upon a renewal 
request by the governmental entity. 


Finally, although you have been most cooperative, we 
have in other situations, experienced some informational leaks. 
While such leaks may represent misplaced good intentions, they 
can have serious impact upon our investigation. Accordingly, we 
would respectfully request that your personnel be placed on 
notice that they are subject to criminal liability should they 
disclose any privileged information. The governing statute in 
this regard is Title 18, U.S.C., 2232(b), which provides: 

(b) Notice of Search.- Whoever, having knowledge that 
any person authorized to make searches and seizures has been 
authorized or is otherwise likely to make a search or seizure, in. 
order to prevent the authorized seizing or securing of any - 
person, goods, wares, merchandise, or other property, gives 
notice or attempts to give notice of the possible search and 
seizure to any person, shall be fined under this title or 
imprisoned not more than five years, or both. 


Again, I greatly appreciate your cooperation in this 
matter with our agency. If you have any questions o r comments, 
please feel free to call SA| I at 

I I 


Sincerely yours, 

Sheri A. Farrar 
Special Agent in Charge 


By: 


] 


Supervisory Special Agent 
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U*S, Department of Justice 



In Reply, Please Refer to 
File No. 


Federal Bureau of Investigation 


550 Main Street, Room 9000 
Cincinnati, Ohio 45202 
November 3, 1998 


Florida Institute of Technology (FIT-DOM) 
150 West University Blvd. 

Melbourne, FL 32901 


RE; Notice to Preserve Evidence Under 
Title 18, U.S.C., 2703(f) 


Dead 


This letter is to follow up our telephone conversation 
on October 30, 1998. As I stated at that time, I am a Special 
Agent for the Federal Bureau of Investigation (FBI), a duly 
authorized federal law enforcement officer empowered to 
investigate unauthorized access into private, state, local and 
federal computer systems. As previously discussed, during the 
following date(s): September 22, 1998, an unknown individual 
illegally entered a state o wned academic institu tional computer 


system at sumac.occ.uc.edu. 


According to our 


investigation, this communicatio n originated or pass ed through 
your system, sunmlb.new.fit.edu. 
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This letter serves to inform you that I will be 
pursuing the issuance of a subpoena and/or court order under 
Title 18, U.S.C., 2703(d), respectively, to trace the unknown 
individual back from your system. Inasmuch that this process can 
be time consuming, I have requested, pursuant to Title 18, 

U.S.C., 2703(f), that you take appropriate measures to preserve 
transactional logs, contents of any relevant communications, 
back-up files, and any other evidence that pertains to the 
aforementioned connections. 


provides; 


For ease of reference. Title 18, U.S.C, 


(f) Requirement to preserve evidence. 


2703(f), 

Indexecl- 

Fi(ed__-::r! 

<1) In general.- A provider of a wire or 
electronic communication service or a remote computing service, 
upon the request of a government entity, shall take all necessary 
steps to preserve records and other evidence in its possession 
pending the issuance of a court order or other process. 
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(2) Period of retention.- Records referred to in 
paragraph (1) shall be retained for a period of 90 days, which 
shall be extended for an additional 90 day period upon a renewal 
request by the governmental entity. 


Finally, although you have been most cooperative, we 
have in other situations, experienced some informational leaks. 
While such leaks may represent misplaced good intentions, they 
can have serious impact upon our investigation. Accordingly, we 
would respectfully request that your personnel be placed on 
notice that they are subject to criminal liability should they 
disclose any privileged information. The governing statute in 
this regard is Title 18, U.S.C., 2232(b), which provides: 

(b) Notice of Search.- Whoever, having knowledge that 
any person authorized to make searches and seizures has been 
authorized or is otherwise likely to make a search or seizure, in 
order to prevent the authorized seizing or securing of any 
person, goods, wares, merchandise, or other property, gives 
notice or attempts to give notice of the possible search and 
seizure to any person, shall be fined under this title or 
imprisoned not more than five years, or both. 


Again, I greatly appreciate your cooperation in this 
matter with our agency. If vou have anv questions o r comments. 


Please feel fr ee to call SA 


at 


Sincerely yours, 

Sheri A. Farrar 
Special Agent in Charge 


By^i 


Supervisory Special Agent 




All IlFOm-IiTIOl COITIIIIED 

(HEEEIH IS imCLASSIFIED 

DATE 07-06-2012 BY 60324/TJC/tiaw/3aii/aio 


U*S. Department of Justice 



In Reply, Please Refer to 
File No* 


Federal Bureau of Investigation 


550 Main Street, Room 9000 
Cincinnati, Ohio 45202 
November 3, 1998 


Indiana University, South Bend Campus 
1700 Mishawaka Ave. 

South Bend, IN 46634-7111 


Dear 


RE: Notice to Preserve Evidence Under 

Title 18, U.S.C., 2703(f) 


This letter is to follow up our telephone conversation 
on October 29, 1998. As I stated at that time, I am a Special 
Agent for the Federal Bureau of Investigation (FBI), a duly 
authorized federal law enforcement officer empowered to 
investigate unauthorized access into private, state, local and 
federal computer systems. As previously discussed, during the 
following date(s): August 25 and 26, 1998, an unknown individual 
illegally entered a state o wned academic institu tional computer 
system at sumac.occ.uc.edu, I I According to our 

investigation, this communi cation originated o r passed through 
your system, oitl.iusb.edu. 


be 

b7C 


6 ^' 

Cf>‘ 

17 E 


This letter serves to inform you that I will be 
pursuing the issuance of a subpoena and/or court order under 
Title 18, U.S.C., 2703(d), respectively, to trace the unknown 
individual back from your system. Inasmuch that this process can 
be time consuming, I have requested, pursuant to Title 18, 

TJ.S.C., 2703(f), that you take appropriate measures to preserve 
transactional logs, contents of any relevant communications, 
back-up files, and any other evidence that pertains to the 
aforementioned connections. 


(f) Requirement to preserve evidence. 


For ease of reference. Title 18, U.S.C., 2703(f), 

provides: Searched_ ^ A 

Soriaii7.etjT_^,__^ 

indexed_ 

Rfed. 

(1) In general.- A provider of a wire or 
electronic communication service or a remote computing service, 
upon the request of a government entity, shall take all necessary 
steps to preserve records and other evidence in its possession 
pending the issuance of a court order or other process. 
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(2) Period of retention.- Records referred to in 
paragraph (1) shall be retained for a period of 90 days, which 
shall be extended for an additional 90 day period upon a renewal 
request by the governmental entity. 

Finally, although you have been most cooperative, we 
have in other situations, experienced some informational leaks. 
While such leaks may represent misplaced good intentions, they 
can have serious impact upon our investigation. Accordingly, we 
would respectfully request that your personnel be placed on 
notice that they are subject to criminal liability should they 
disclose any privileged information. The governing statute in 
this regard is Title 18, U.S.C., 2232(b), which provides; 

(b) Notice of Search.- Whoever, having knowledge that 
any person authorized to make searches and seizures has been 
authorized or is otherwise likely to make a search or seizure, in 
order to prevent the authorized seizing or securing of any 
person, goods, wares, merchandise, or other property, gives 
notice or attempts to give notice of the possible search and 
seizure to any person, shall be fined under this title or 
imprisoned not more than five years, or both. 

Again, I greatly appreciate your cooperation in this 
matter with our agency. If vou have anv questions o r comments. 
Please feel f ree to call SA at 


Sincerely yours, 

Sheri A. Farrar 
Special Agent in Charge 


•bS 
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By^_ 

Supervisory Special Agent 
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U.S. Department of Justice 



In Reply, Please Refer to 
File No. 


Federal Bureau of Investigation 


550 Main Street, Room 9000 
Cincinnati, Ohio 45202 
November 3, 1998 


California Institute of Technology 
Information Technology Services 
014-81 

Pasadena, CA 91125 

RE: Notice to Preserve Evidence Under 

Title 18, U.S.C., 2703(f) 


Dear 


This letter is to follow up our telephone conversation 
on October 29, 1998. As I stated at that time, I am a Special 
Agent for the Federal Bureau of Investigation (FBI), a duly 
authorized federal law enforcement officer empowered to 
investigate unauthorized access into private, state, local and 
federal computer systems. As previously discussed,■during the 
following date(s): September 22, 1998, an unknown individual 
illegally entered a state o wned academic institu tional computer 
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system at sumac.occ.uc.edu. 


According to our 
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investigation, this r-mtnuuni oa-hi on m-igi pat-P-d nr rtaased throua 
your system, newvortex.ama.caltech.edu. 
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This letter serves to inform you that I will be 
pursuing the issuance of a subpoena and/or court order under 
Title 18, U.S.C., 2703(d), respectively, to trace the unknown 
individual back from your system. Inasmuch that this process can 
be time consuming, I have requested, pursuant to Title 18, 

U.S.C., 2703(f), that you take appropriate measures to preserve 
transactional logs, contents of any relevant communications, 
back-up files, and any other evidence that pertains to the 
aforementioned connections. 

For ease of reference. Title 18, U.S.C., 2703(f), 

Ssarchqd__._ 

lndoK3cI _ 

Filed 

(1) In general.- A provider of a wire or 
electronic communication service or a remote computing service, 
upon the request of a government entity, shall take all necessary 
steps to preserve records and other evidence in its possession 
pending the issuance of a court order or other process. 
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provides; 




(f) Requirement to preserve evidence. 
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(2) Period of retention.- Records referred to in 
paragraph (1) shall be retained for a period of 90 days, which 
shall be extended for an additional 90 day period upon a renewal 
request by the governmental entity. 

Finally, although you have been most cooperative, we 
have in other situations, experienced some informational leaks. 
While such leaks may represent misplaced good intentions, they 
can have.serious impact upon our investigation. Accordingly, we 
would respectfully request that your personnel be placed on 
notice that they are subject to criminal liability should they 
disclose any privileged information. The governing statute in 
this regard is Title 18, U.S.C., 2232(b), which provides: 


(b) Notice of Search.- Whoever, having knowledge that 
any person authorized to make searches and seizures has been 
authorized or is otherwise likely to make a search or seizure, in 
order to prevent the authorized seizing or securing of any 
person, goods, wares, merchandise, or other property, gives 
notice or attempts to give notice of the possible search and 
seizure to any person, shall be fined under this title or 
imprisoned not more than five years, or both. 


Again, I greatly appreciate your cooperation in this 
matter with our agency. If vou have anv questions o r comments, 
please feel f ree to call SA 


] at 


Sincerely yours, 

Sheri A. Farrar 
Special Agent in Charge 


Bip. 
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Supervisory Special Agent 
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U,S* Department of Justice 


Federal Bureau of Investigation 


In Reply, Please Refer to 
File No. 


550 Main Street, Room 9000 
Cincinnati, Ohio 45202 
November 3, 1998 


Haverford College 
Academic Computing 
Haverford, PA 19041 


RE: Notice to Preserve Evidence Under 

Title 18, U.S.C., 2703(f) 


Dear 


This letter is to follow up our telephone conversation 
on October 29, 1998. As I stated at that time, I am a Special 
Agent for the Federal Bureau of Investigation (FBI), a duly 
authorized federal law enforcement officer empowered to 
investigate unauthorized access into private, state, local and 
federal computer systems. As previously discussed, during the 
following date(s): September 23 and 24, 1998, an unknown 
individual illegally entered a state owned academic insti tutional 
computer system at sumac.occ.uc.edu. 


be 

:b7C 


'-si 

b7E 


According to our investigation, this communica tion originated or 
passed through your system, io.haverford.edu. 


This letter serves to inform you that I will be 
pursuing the issuance of a subpoena and/or court order under 
Title 18, U.S.C., 2703(d), respectively, to trace the unknown 
individual back from your system. Inasmuch that this process can 
be time consuming, I have requested, pursuant to Title 18, 

U.S.C., 2703(f), that you take appropriate measures to preserve 
transactional logs, contents of any relevant communications, 
back-up files, and any other evidence that pertains to the 


aforementioned connections. 


provides; 


For ease of reference. Title 18, U.S.C. 


(f) Requirement to preserve evidence. 


2703(f), 

Searched. 






Indc'/Qcl__ 

Hied. 


(1) In general.- A provider of a wire or 
electronic communication service or a remote computing service, 
upon the request of a government entity, shall take all necessary 
steps to preserve records and other evidence in its possession 
pending the issuance of a court order or other process. 
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(2) Period of retention.- Records referred to in 
paragraph (1) shall be retained for a period of 90 days, which 
shall be extended for an additional 90 day period upon a renewal 
request by the governmental entity. 

Finally, although you have been most cooperative, we 
have in other situations, experienced some informational leaks. 
While such leaks may represent misplaced good intentions, they 
can have serious impact upon our investigation. Accordingly, we 
would respectfully request that your personnel be placed on 
notice that they are subject to criminal liability should they 
disclose any privileged information. The governing statute in 
this regard is Title 18, U.S.C., 2232(b), which provides: 


(b) Notice of Search.- Whoever, having knowledge that 
any person authorized to make searches and seizures has been 
authorized or is otherwise likely to make a search or seizure, in 
order to prevent the authorized seizing or securing of any 
person, goods, wares, merchandise, or other property, gives 
notice or attempts to give notice of the possible search and 
seizure to any person, shall be fined under this title or 
imprisoned not more than five years, or both. 


Again, I greatly appreciate your cooperation in this 
matter with our agency. Tf vou have anv questions^ or comments. 


Please feel fr ee to call SA 


at 


Sincerely yours. 


Sheri A. Farrar 
Special Agent in Charge 


By 


supervisory special Agent 
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U.S. Department of Justice 



In Reply, Please Refer to 
File No. 


Federal Bureau of Investigation 


550 Main Street, Room 9000 
Cincinnati, Ohio 45202 
November 3, 1998 


University of Texas at Austin 
Office of Telecommunication Services 
Services Building, Room 319 
Austin, TX 78712-1024 


RE; Notice to Preserve Evidence Under 
Title 18, U.S.C., 2703(f) 


Dear 


This letter is to follow up our telephone conversation 
on October 29, 1998. As I'stated at that time, I am a Special . 
Agent for the Federal Bureau of Investigation (FBI), a duly 
authorized federal law enforcement officer empowered to 
investigate unauthorized access into private, state, local and 
federal computer systems. As previously discussed, during the 
following date(s); September 22, 1998, an unknown individual 
illegally entered a state ownoH anaHomir! ing-hit-ni-innai computer 


system at sumac.occ.uc.edu 


T 


According to our 


be 
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investigation, this communicati on originated or pass ed through 
your system, net.cs.utexas.edu, 


] 


This letter serves to inform you that I will be 
pursuing the issuance of a subpoena and/or court order under 
Title 18, U.S.C., 2703(d), respectively, to trace the unknown 
individual back from your system. Inasmuch that this process can 
be time consuming, I have requested, pursuant to Title 18, 

U.S.C., 2703(f), that you take appropriate measures to preserve 
transactional logs, contents of any relevant communications, 
back-up files, and any other evidence that pertains to the 
aforementioned connections. ^ ^ <s> <'/' .7- ' 


provides; 


For ease of reference. Title 18, U.S.C, 


(f) Requirement to preserve evidence. 


, 2703(f), 

SssrchS'i_ 


(1) In general.- A provider of a wire of-” 
electronic communication service or a remote computing service, 
upon the request of a government entity, shall take all necessary 

1 - Addressee 

- Cl (288-CI-68562) BB:bb (2) 




iV 


/ 







steps to preserve records and other evidence in its possessipn 
pending the issuance of a court order or other process. 

(2) Period of retention.- Records referred to in 
paragraph (1) shall be retained for a period of 90 days, which 
shall be extended for an additional 90 day period upon a renewal 
request by the governmental entity. 

Finally, although you have been most cooperative, we 
have in other situations, experienced some informational leaks. 
While such leaks may represent misplaced good intentions, they 
can have serious impact upon our investigation. Accordingly, we 
would respectfully request that your personnel be placed on 
notice that they are subject to criminal liability should they 
disclose any privileged information. The governing statute in 
this regard is Title 18, U.S.C., 2232(b), which provides: 

(b) Notice of Search.- Whoever, having knowledge that 
any person authorized to make searches and seizures has been 
authorized or is otherwise likely to make a search or seizure, in 
order to prevent the authorized seizing or securing of any 
person, goods, wares, merchandise, or other property, gives 
notice or attempts to give notice of the possible search and 
seizure to any person, shall be fined under this title or 
imprisoned not more than five years, or both. 

Again, I greatly appreciate your cooperation in this 
matter with our agency. T f vou have anv questions o r comments, 
nlease feel free to call SA at 


Sincerely yours, 

Sheri A. Farrar 
Special Agent in Charge 


By, 


Supervisory Special Agent 
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U.S. Department of Justice 



In Reply, Please Refer to 
File No. 


Federal Bureau of Investigation 


.550 Main Street, Room 9000 
Cincinnati, Ohio 45202 
November 3, 1998 


Auburn University 

Division of Telecommunications/ETV 
Auburn University, AL 36849-5423 


RE: Notice to Preserve Evidence Under 

Title 18, U.S.C., 2703(f) 


Dean 


This letter is to follow up our telephone conversation 
on October 29, 1998. As I stated at that time, I am a Special 
Agent for the Federal Bureau of Investigation (FBI), a duly 
authorized federal law enforcement officer empowered to 
investigate unauthorized access into private, state, local and 
federal computer systems. As previously discussed, during the 
following date(s): September 23, 1998, an unknown individual 
illegally entered a state o ymed academic institut ional computer 


•system at sumac.occ.uc.edu. 


According to our 


investigation, this communication oriqina rect or passed throug h 
your system, node-57-2.spidle.auburn.edu. 
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This letter serves to inform you that I will be 
pursuing the issuance of a subpoena and/or court order under 
Title 18, U.S.C., 2703(d), respectively, to trace the unknown 
individual back from your system. Inasmuch that this process can 
be time consuming, I have requested, pursuant to Title 18, 

U.S.C., 2703(f), that you take appropriate measures to preserve 
transactional logs, contents of any relevant communications, 
back-up files, and any other evidence that pertains to the 
aforementioned connections. 


provides: 


For ease of reference. Title 18, U.S.C. 


(f) Requirement to preserve evidence. 


2703(f), 

SGarcb' cL^-- 

Indexsd— 

Filsd__-i?' 


(1) In general.- A provider of a wire or 
electronic communication service or a remote computing service, 
upon the request of a government entity, shall take all necessary 
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steps to preserve records and other evidence in its possession 
pending the issuance of a court order or other process. 

(2) Period of retention.- Records referred to in 
paragraph (1) shall be retained for a period of 90 days, which 
shall be extended for an additional 90 day period upon a renewal 
request by the governmental entity. 

Finally, although you have been most cooperative, we 
have in other situations, experienced some informational leaks. 
While such leaks may represent misplaced good intentions, they 
can have serious impact upon our investigation. Accordingly, we 
would respectfully request that your personnel be placed on 
notice that they are subject to criminal liability should they 
disclose any privileged information. The governing statute in 
this regard is Title 18, U.S.C., 2232(b), which provides: 

(b) Notice of Search.- Whoever, having knowledge that 
any person authorized to make searches and seizures has been 
authorized or is otherwise likely to make a search or seizure, in 
order to prevent the authorized seizing or securing of any 
person, goods, wares, merchandise, or other property, gives 
notice or attempts to give notice of the possible search and 
seizure to any person, shall be fined under this title or 
imprisoned not more than five years, or both. 

Again, I greatly appreciate your cooperation in this 
matter with our agency. If von hav<a anv miRsti ons nr comments, 
nlpasp feel_free, to call SA at 


Sincerely yours, 

Sheri A. Farrar 
Special Agent in Charge 


supervisory special Agent 
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U,S. Department of Justice 



In Reply, Please Refer to 
File No. 


Federal Bureau of Investigation 


550 Main Street, Room 9000 
Cincinnati, Ohio 45202 
November 3, 1998 


Duke University 
407 North Building 
Durham, NC 27706 


RE: Notice to Preserve Evidence Under 

Title 18, U.S.C., 2703(f) 


Dear 


This letter is to follow up our telephone conversation 
on October 29, 1998. As I stated at that time, I am a Special 
Agent for the Federal Bureau of Investigation (FBI), a duly 
authorized federal law enforcement officer empowered to 
investigate unauthorized access into private, state, local and 
federal computer systems. As previously discussed, during the 
following date(s): September 22 and 24, 1998, an unknown 
individual illegally entered a state owned academic instit utional 
computer system at sumac.occ.uc.edu, | | 

According to our investigation, this nornmnnica-t-.ion originated or 
passed through your system, bme-www.egr.duke.edu, | \ 
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This letter serves to inform you that I will be 
pursuing the issuance of a subpoena and/or court order under 
Title 18, U.S.C., 2703(d), respectively, to trace the unknown 
individual back from your system. Inasmuch that this process can 
be time consuming, I have requested, pursuant to Title 18, 

U.S.C., 2703(f), that you take-appropriate measures to preserve 
transactional logs, contents of any relevant communications, 
back-up files, and any other evidence that pertains to the 
aforementioned connections. 




provides; 


For ease of reference. Title 18, U.S.C., 2703(f), 




(f) Requirement to preserve evidence. 


Searched .. . 
SeriaiizeeillDisrssu 
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(1) In general.- A provider of a wire ofr ^ 


electronic communication service or a remote computing service, 
upon the request of a government entity, shall take all necessary 
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steps to preserve records and other evidence in its possession 
pending the issuance of a court order or other process. 

(2) Period of retention.- Records referred to in 
paragraph (1) shall be retained for a period of 90 days, which 
shall be extended for an additional 90 day period upon a renewal 
request by the governmental entity. 

Finally, although you have been most cooperative, we 
have in other situations, experienced some informational leaks. 
While such leaks may represent misplaced good intentions, they 
can have serious impact upon our investigation. Accordingly, we 
would respectfully request that your personnel be placed on 
notice that they are subject to criminal liability should they 
disclose any privileged information. The governing statute in 
this regard is Title 18, U.S.C., 2232(b), which provides: . 

(b) Notice of Search.- Whoever, having knowledge that 
any person authorized to make searches and seizures has been 
authorized or is otherwise likely to make a search or seizure, in 
order to prevent the authorized seizing or securing of any 
person, goods, wares, merchandise, or other property, gives 
notice or attempts to give notice of the possible search and 
seizure to any person, shall be fined under this title or 
imprisoned not more than five years, or both. 


Again, I greatly appreciate your cooperation in this 
matter with our agency. If you have any questions o r comments. 


please feel fre e to call SA 


at 


Sincerely yours. 


Sheri A. Farrar 
Special Agent in Charge 


By: 


Supervisory Special Agent 
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